git.baikalelectronics.ru Git - kernel.git/commit

squashfs: add more sanity checks in xattr id lookup

Sysbot has reported a warning where a kmalloc() attempt exceeds the
maximum limit.  This has been identified as corruption of the xattr_ids
count when reading the xattr id lookup table.

This patch adds a number of additional sanity checks to detect this
corruption and others.

1. It checks for a corrupted xattr index read from the inode.  This could
   be because the metadata block is uncompressed, or because the
   "compression" bit has been corrupted (turning a compressed block
   into an uncompressed block).  This would cause an out of bounds read.

2. It checks against corruption of the xattr_ids count.  This can either
   lead to the above kmalloc failure, or a smaller than expected
   table to be read.

3. It checks the contents of the index table for corruption.

[phillip@squashfs.org.uk: fix checkpatch issue]
Link: https://lkml.kernel.org/r/270245655.754655.1612770082682@webmail.123-reg.co.uk
Link: https://lkml.kernel.org/r/20210204130249.4495-5-phillip@squashfs.org.uk
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: syzbot+2ccea6339d368360800d@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

author	Phillip Lougher <phillip@squashfs.org.uk>
	Tue, 9 Feb 2021 21:42:00 +0000 (13:42 -0800)
committer	Linus Torvalds <torvalds@linux-foundation.org>
	Wed, 10 Feb 2021 01:26:44 +0000 (17:26 -0800)
commit	12ea06332ce9b33286019ef7b28e1eaa3e5370af
tree	b627cb280569c5ed0e293dd2ba59ed198ed967f5	tree \| snapshot
parent	4cfe3f6677073f1031ff5264a69e9cb29b05bc0b	commit \| diff